Microsoft Can't Patch Flaw in Windows 98, ME

With support for its Windows 98 and Windows Millennium Edition operating systems about to expire, Microsoft has given up on the idea of patching a critical security vulnerability in the products, the company announced this week.

The flaw has to do with the way Windows Explorer handles the Component Object Model objects used by Windows programs. Attackers could take over a system by tricking users into visiting a Web site that would then connect them to a remote file server.

"This remote file server could then cause Windows Explorer to fail in a way that could allow code execution," Microsoft said.

Microsoft had fixed the problem in the majority of its Windows products on April 11. At the time, it had promised to deliver a patch for Windows 98 and ME "as soon as possible."

Change of Plans

However, the company this week updated its bulletin on the issue, saying that this fix would require a lot of work and would possibly break applications being used on these platforms.

"After extensive investigation, Microsoft has found that it is not feasible to make the extensive changes necessary...to eliminate the vulnerability," Microsoft's bulletin states. "We have found that these architectures will not support a fix for this issue now or in the future."

Microsoft is about to stop providing security fixes for Windows 98 and ME altogether. The company's next monthly patch release next Tuesday is the last scheduled security fix for the two operating systems.

Microsoft executives could not be reached to comment for this story.

Subscribe to the Best of TechHive Newsletter

Comments